605937f9cff20fe5e7ea63d165c258bacca83ec69a99de802088e9a4aa0ace89

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
Size

790KB
MD5

6a1bb00b6b8ce3963e7d9b9ef3e2fc10
SHA1

14fc432476f383e5f9ae3a491ef6d23b8d447212
SHA256

605937f9cff20fe5e7ea63d165c258bacca83ec69a99de802088e9a4aa0ace89
SHA512

a963c8444dc2c31c44e9f2d3405dfb3e80c7aa6cf73e9df1684a487ebb55eb5a9ce6b9029ed35c526fca2073c465b6c399cd0b446fd854eaf3e1f662e7fc4413
SSDEEP

12288:87VNyqOFB24lwR45FB24lJ87g7/VycgE81lgxaa79y:QVNn2PLPEoIlg17o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Copfbfjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmcfkme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fphafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Copfbfjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmcfkme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hogmmjfo.exe

Executes dropped EXE 22 IoCs

pid	Process
1964	Copfbfjj.exe
2824	Cndbcc32.exe
2732	Dhmcfkme.exe
2296	Dkmmhf32.exe
2772	Dqlafm32.exe
2524	Dgfjbgmh.exe
2836	Enihne32.exe
3036	Elmigj32.exe
2552	Ennaieib.exe
2236	Fhhcgj32.exe
372	Fphafl32.exe
1052	Gicbeald.exe
2116	Gobgcg32.exe
1500	Ghmiam32.exe
2292	Hahjpbad.exe
1088	Hiekid32.exe
1860	Hpapln32.exe
2468	Henidd32.exe
2464	Hogmmjfo.exe
1764	Ieqeidnl.exe
1576	Ioijbj32.exe
1868	Iagfoe32.exe

Loads dropped DLL 48 IoCs

pid	Process
2224	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
2224	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
1964	Copfbfjj.exe
1964	Copfbfjj.exe
2824	Cndbcc32.exe
2824	Cndbcc32.exe
2732	Dhmcfkme.exe
2732	Dhmcfkme.exe
2296	Dkmmhf32.exe
2296	Dkmmhf32.exe
2772	Dqlafm32.exe
2772	Dqlafm32.exe
2524	Dgfjbgmh.exe
2524	Dgfjbgmh.exe
2836	Enihne32.exe
2836	Enihne32.exe
3036	Elmigj32.exe
3036	Elmigj32.exe
2552	Ennaieib.exe
2552	Ennaieib.exe
2236	Fhhcgj32.exe
2236	Fhhcgj32.exe
372	Fphafl32.exe
372	Fphafl32.exe
1052	Gicbeald.exe
1052	Gicbeald.exe
2116	Gobgcg32.exe
2116	Gobgcg32.exe
1500	Ghmiam32.exe
1500	Ghmiam32.exe
2292	Hahjpbad.exe
2292	Hahjpbad.exe
1088	Hiekid32.exe
1088	Hiekid32.exe
1860	Hpapln32.exe
1860	Hpapln32.exe
2468	Henidd32.exe
2468	Henidd32.exe
2464	Hogmmjfo.exe
2464	Hogmmjfo.exe
1764	Ieqeidnl.exe
1764	Ieqeidnl.exe
1576	Ioijbj32.exe
1576	Ioijbj32.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Copfbfjj.exe	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Acpmei32.dll	Elmigj32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Dqlafm32.exe	Dkmmhf32.exe
File opened for modification	C:\Windows\SysWOW64\Elmigj32.exe	Enihne32.exe
File opened for modification	C:\Windows\SysWOW64\Ennaieib.exe	Elmigj32.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Cbamcl32.dll	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ddgkcd32.dll	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Elmigj32.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Fphafl32.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Fphafl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmcfkme.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Ennaieib.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Fhhcgj32.exe	Ennaieib.exe
File created	C:\Windows\SysWOW64\Jbelkc32.dll	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Dhmcfkme.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Copfbfjj.exe	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hpenlb32.dll	Copfbfjj.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Epgnljad.dll	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Iecimppi.dll	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Jfpjfeia.dll	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkmmhf32.exe	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Dgfjbgmh.exe	Dqlafm32.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Fphafl32.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Fphafl32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Cndbcc32.exe	Copfbfjj.exe
File created	C:\Windows\SysWOW64\Dqlafm32.exe	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Dgfjbgmh.exe	Dqlafm32.exe
File created	C:\Windows\SysWOW64\Mkaggelk.dll	Dqlafm32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Fphafl32.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Dkmmhf32.exe	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Fhhcgj32.exe	Ennaieib.exe
File created	C:\Windows\SysWOW64\Egadpgfp.dll	Ennaieib.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	1868	WerFault.exe	49

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmcfkme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll"	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ennaieib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamcl32.dll"	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Copfbfjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll"	Dhmcfkme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgkcd32.dll"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll"	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll"	Copfbfjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Copfbfjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1964	2224	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe	28
PID 2224 wrote to memory of 1964	2224	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe	28
PID 2224 wrote to memory of 1964	2224	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe	28
PID 2224 wrote to memory of 1964	2224	6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2824	1964	Copfbfjj.exe	29
PID 1964 wrote to memory of 2824	1964	Copfbfjj.exe	29
PID 1964 wrote to memory of 2824	1964	Copfbfjj.exe	29
PID 1964 wrote to memory of 2824	1964	Copfbfjj.exe	29
PID 2824 wrote to memory of 2732	2824	Cndbcc32.exe	30
PID 2824 wrote to memory of 2732	2824	Cndbcc32.exe	30
PID 2824 wrote to memory of 2732	2824	Cndbcc32.exe	30
PID 2824 wrote to memory of 2732	2824	Cndbcc32.exe	30
PID 2732 wrote to memory of 2296	2732	Dhmcfkme.exe	31
PID 2732 wrote to memory of 2296	2732	Dhmcfkme.exe	31
PID 2732 wrote to memory of 2296	2732	Dhmcfkme.exe	31
PID 2732 wrote to memory of 2296	2732	Dhmcfkme.exe	31
PID 2296 wrote to memory of 2772	2296	Dkmmhf32.exe	32
PID 2296 wrote to memory of 2772	2296	Dkmmhf32.exe	32
PID 2296 wrote to memory of 2772	2296	Dkmmhf32.exe	32
PID 2296 wrote to memory of 2772	2296	Dkmmhf32.exe	32
PID 2772 wrote to memory of 2524	2772	Dqlafm32.exe	33
PID 2772 wrote to memory of 2524	2772	Dqlafm32.exe	33
PID 2772 wrote to memory of 2524	2772	Dqlafm32.exe	33
PID 2772 wrote to memory of 2524	2772	Dqlafm32.exe	33
PID 2524 wrote to memory of 2836	2524	Dgfjbgmh.exe	34
PID 2524 wrote to memory of 2836	2524	Dgfjbgmh.exe	34
PID 2524 wrote to memory of 2836	2524	Dgfjbgmh.exe	34
PID 2524 wrote to memory of 2836	2524	Dgfjbgmh.exe	34
PID 2836 wrote to memory of 3036	2836	Enihne32.exe	35
PID 2836 wrote to memory of 3036	2836	Enihne32.exe	35
PID 2836 wrote to memory of 3036	2836	Enihne32.exe	35
PID 2836 wrote to memory of 3036	2836	Enihne32.exe	35
PID 3036 wrote to memory of 2552	3036	Elmigj32.exe	36
PID 3036 wrote to memory of 2552	3036	Elmigj32.exe	36
PID 3036 wrote to memory of 2552	3036	Elmigj32.exe	36
PID 3036 wrote to memory of 2552	3036	Elmigj32.exe	36
PID 2552 wrote to memory of 2236	2552	Ennaieib.exe	37
PID 2552 wrote to memory of 2236	2552	Ennaieib.exe	37
PID 2552 wrote to memory of 2236	2552	Ennaieib.exe	37
PID 2552 wrote to memory of 2236	2552	Ennaieib.exe	37
PID 2236 wrote to memory of 372	2236	Fhhcgj32.exe	38
PID 2236 wrote to memory of 372	2236	Fhhcgj32.exe	38
PID 2236 wrote to memory of 372	2236	Fhhcgj32.exe	38
PID 2236 wrote to memory of 372	2236	Fhhcgj32.exe	38
PID 372 wrote to memory of 1052	372	Fphafl32.exe	39
PID 372 wrote to memory of 1052	372	Fphafl32.exe	39
PID 372 wrote to memory of 1052	372	Fphafl32.exe	39
PID 372 wrote to memory of 1052	372	Fphafl32.exe	39
PID 1052 wrote to memory of 2116	1052	Gicbeald.exe	40
PID 1052 wrote to memory of 2116	1052	Gicbeald.exe	40
PID 1052 wrote to memory of 2116	1052	Gicbeald.exe	40
PID 1052 wrote to memory of 2116	1052	Gicbeald.exe	40
PID 2116 wrote to memory of 1500	2116	Gobgcg32.exe	41
PID 2116 wrote to memory of 1500	2116	Gobgcg32.exe	41
PID 2116 wrote to memory of 1500	2116	Gobgcg32.exe	41
PID 2116 wrote to memory of 1500	2116	Gobgcg32.exe	41
PID 1500 wrote to memory of 2292	1500	Ghmiam32.exe	42
PID 1500 wrote to memory of 2292	1500	Ghmiam32.exe	42
PID 1500 wrote to memory of 2292	1500	Ghmiam32.exe	42
PID 1500 wrote to memory of 2292	1500	Ghmiam32.exe	42
PID 2292 wrote to memory of 1088	2292	Hahjpbad.exe	43
PID 2292 wrote to memory of 1088	2292	Hahjpbad.exe	43
PID 2292 wrote to memory of 1088	2292	Hahjpbad.exe	43
PID 2292 wrote to memory of 1088	2292	Hahjpbad.exe	43

C:\Users\Admin\AppData\Local\Temp\6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6a1bb00b6b8ce3963e7d9b9ef3e2fc10_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\Copfbfjj.exe
  C:\Windows\system32\Copfbfjj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\Cndbcc32.exe
    C:\Windows\system32\Cndbcc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\Dhmcfkme.exe
      C:\Windows\system32\Dhmcfkme.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Dkmmhf32.exe
        
        C:\Windows\system32\Dkmmhf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\Dqlafm32.exe
        
        C:\Windows\system32\Dqlafm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Dgfjbgmh.exe
        
        C:\Windows\system32\Dgfjbgmh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Elmigj32.exe
        
        C:\Windows\system32\Elmigj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Ennaieib.exe
        
        C:\Windows\system32\Ennaieib.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Fhhcgj32.exe
        
        C:\Windows\system32\Fhhcgj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Fphafl32.exe
        
        C:\Windows\system32\Fphafl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        23⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cndbcc32.exe

Filesize
790KB

MD5
487f99e5048ccb160298f83d88c77b26

SHA1
92b4a0218dade5451a2687d9d897ee10726fb02c

SHA256
874b96754ec7b5152275f65ba814f7fbd8d88ade3c646b73460e46697c5355d3

SHA512
35df9051f1b84525ac5cebc72f45a6a1964d1482c4dde923b47e7eb6412120410e3b5a98ad838f21393fd35cdb3e829c1e3aee1b08e5ea2655315597e6fecf18

Download Submit
C:\Windows\SysWOW64\Dgfjbgmh.exe

Filesize
790KB

MD5
fb2f18f3d79c4dc3a3659b5e3179a883

SHA1
1340a93fce5dc5964f25358323815f001995e730

SHA256
2c9d4acae566e89feb60a464590469640267f55891ad426c04955fe3e26cd30a

SHA512
d3b893be33cdb7acdf1c359490dec1b9dc7092cc6293ae4bfff5fc46b3081692c2f01cbec163e06ae9389b1ef3a713a41d458292f997be9fa338980b42e207a9

Download Submit
C:\Windows\SysWOW64\Fphafl32.exe

Filesize
790KB

MD5
fc2d3689e4a171bbeecde7693b1ccc43

SHA1
1392390c7ef71ff510c6787353ca20fcb42c46ef

SHA256
222e246553827808108790046c5f7fb1cc510f69733361aeb0e47eaa28ecc66f

SHA512
90c14f7d33caa61353023521c6597f613c50c0a38e847f164ca766c366536004a26c03fede32f2817f34cf896c653b99ee27b0299cbce0cb5b081c4aa7e407f3

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
790KB

MD5
144eb5e3422394b50bcc94ba33fb0d06

SHA1
56b2f864b59e33892c195d5029775a44cabd2139

SHA256
9b3ed7087b03949a60464bc6a55b51635a23ae7fe55ab9ae10af823c75df20bd

SHA512
490283f8cae14cbb656d765dd7474801528a0fe3f5866dcbf003f68b7b74cd26bca0b1683367d52e6f93e70e781b7304408921d94b2f558fcdddaf493f485d89

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
790KB

MD5
4104626ee618ad93af9f56c7c966d7ac

SHA1
b7ba04083fb9fe948f7cda1772a4ccde41f54fac

SHA256
830c35682fc34feb9986d766775f4034fed0c8a8bb9ed17cd3e4e04d0d96d6d5

SHA512
7939caaeb365877d53c8e3cf48771ec1e48371faab26df0103a5eba5eb69554b5766776e03400d946ab7faedd4d6529be62cf1d97de7110fbd0b90041dd35fc7

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
790KB

MD5
ee81409fab184ebac0f5d81f7b7e6988

SHA1
f1df68b209285e76a8553e70b3ce030fbac37e0c

SHA256
a40201a26338c93f85060fb5834bf4e58f155a93346c4c658657fefaea42197b

SHA512
b471a4fac8704dae6a09819de9b469fd90adb0ab83c85c01b28e52ce58e00d3ba1d4fcccd3e1c980f6b03cce5dd801015dfc3adba203fd1574849e2cbc75ce3e

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
790KB

MD5
71a5583dcb85015c6d27ee88680b2845

SHA1
5c085e6495efbccbb2228d68bc79606ea34a563a

SHA256
d501d117686328508d084c0e98546aa932b03b74b0038c3bb1006c5ba27e667c

SHA512
df3c0aa60de4a300120092120bb1ee6d9512781e1eb953a53f3278b6b323edd88879d6f3c6831ab21d0fba38c743bf848b551a2e187f85f6c1b38992e93e69a2

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
790KB

MD5
982d471eabad2b60d7166149aaf8c21e

SHA1
6f72b9b7d72dbdbad1cc5e48bfdb42109faf4684

SHA256
ccd63bb4f7745429af9fc3fb5b61bb96cee473477943676ac825a9af538e3130

SHA512
386842aeec5426859517955b532c74fe8e049d75725931d1d292207f3ea05de24f2672bf0bfc3267997df443c8317ae7e6b160b4896ac93e00e09253aae08e2e

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
790KB

MD5
a1dae1525d9b9225ee6fdce5399b2f74

SHA1
694b6dd27ad1d3af3548b61bc2cba8d6c07e097e

SHA256
bb2c8e4047639b60040c80b7810eb309b2187ac258a177451dfde5b2e5ba1a87

SHA512
1e7577786d6fdbd6476514a9eb86196cde506aaab0e201916d089a98df75deb035d1627d76ed8267e2ac89b037dc1e225829dacb9ada20cacc69610ff1aa139b

Download Submit
C:\Windows\SysWOW64\Jfpjfeia.dll

Filesize
7KB

MD5
2ec0e50c552d6deb7c7c3a02d6a31520

SHA1
012bb8500df48e6040a05d36d493d409b94f2f60

SHA256
056da2869741871e06a2cbe5bcf8d866c5e08082987e4eddaef7c940a6b7fcac

SHA512
dcdf319922789a16df271ec9f4af56fada39ba4fd282cb7484a05f10c2791d9c659822a63bacb6c6c6180cc42e4a81903c26a936854f803037d3743861d30a09

Download Submit
\Windows\SysWOW64\Copfbfjj.exe

Filesize
790KB

MD5
797e855bfe601b87a086cc19b2a3fb15

SHA1
22d759726361c6a6bc66f4039d04773d68ed64e2

SHA256
210863f7ce4d3ed93542c0b505b92ea9be35e290f18b566c315f3cd65ad4e276

SHA512
7c71670a88894a0887ed1f9e579c92b35c00bf19828a38412a8f92c4f9c01dc6c32d9b88130ab4156bebd1bdb6a8e6b482be96d04ead9f01dcef922b57f09a4a

Download Submit
\Windows\SysWOW64\Dhmcfkme.exe

Filesize
790KB

MD5
a66f0d34a8fb09385a96f5b8f3446056

SHA1
05d51c781756a6716b220c32ee8f23e1fd656755

SHA256
ec8f63bc2ae023620a4efb9d7181733137555b974682635633d5d43ece2fb520

SHA512
7fcf265fb91a40ae1902bdb4375010d13e41b1a21296cf372c71a1b007d40891db4481f3216f05871a4060a041cf133558b4e87ad22e7019723ea810cf393dfc

Download Submit
\Windows\SysWOW64\Dkmmhf32.exe

Filesize
790KB

MD5
1ea192c461c23bc69cb9cdd7d3cb4c70

SHA1
d32abc4bacbfdcf1ca0fe953474ce1aef9403450

SHA256
28e398b52e9144b8248c9984b1e7580089cc050d722d6c9052e1de796d3dda01

SHA512
78432185c847d44826ebb17862e8cf7b0a77151ba3145b342facf79f3dda5686d60f0796884612d0644e4cec5b854c1e7a90475c4db159556036650415bd40f7

Download Submit
\Windows\SysWOW64\Dqlafm32.exe

Filesize
790KB

MD5
73da241abb6da273270d9e0f075fac5f

SHA1
ad6cb8c479b0fa138a0b5416f12cd6c80498ae8d

SHA256
9de96bc2c399d843371bbd8cb0737918381fa20c2b9036335294afa37765efb0

SHA512
3eecaed9899ff0638a15a4cc2b61355247ea0845d30309478cf84a21853a11b07897b3cb7c8ed31d13f2eea6671be233a4302cbe1a2eebc1f68978e99d7926c3

Download Submit
\Windows\SysWOW64\Elmigj32.exe

Filesize
790KB

MD5
e8f0b96ffc56197dc5d074f236d01892

SHA1
d566605d63eefc673584d295ea6fb0fc69275a54

SHA256
7182fd30fc519975826ecc6f5e5098574f5813ece3efb028fc9d702087d4b85a

SHA512
56b696e59f116681790c6940b997682b577beb1e4b4999e229631c9cf1c5887ec1fd2c629fca5b9c482d2008f683e63697a9f6ba854fd16f042df97899c041fe

Download Submit
\Windows\SysWOW64\Enihne32.exe

Filesize
790KB

MD5
d9cf74c3dc2d8a98d4efd4a9928bcaba

SHA1
4e144e5fb35b15fa15f85b22bad29c96fd1e9d00

SHA256
a8472ba5da5ed9777f5eb99287f604e3a250a2b29ecd614488f3a82dd9a8588c

SHA512
c47a99c667a2531c8ac84500ff95f430d50454a767a3d9fa3acc77574b81d56af001fde2a7c933940ef78ea880379b1a890fbab9ab317d7d91dabd0dc756fc6f

Download Submit
\Windows\SysWOW64\Ennaieib.exe

Filesize
790KB

MD5
c7030f2fdf2eacb4e1c3267c141b8ee3

SHA1
467745197e857c76b58892df9c47ebd52c702a83

SHA256
6def1e56d077be8828672dcb5e9f2641f5f497c889daed5c28faea1a618bed73

SHA512
00bc50ff1ef7e4f80b84873ae8a221ad07cf06f69ab42c7c0b201f210115fb944c87409d3f7daa683e44689572d559627f51da7da1bcf500d4758ae539721544

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
790KB

MD5
17b11a790945ecd7b72a80acd04c9aa6

SHA1
f9ca1529ffc0e1f3fc60ea0e796cb1c3bcfcf98c

SHA256
4d7d3d93a1562976633420b3f7c8e3b8ba815f4275a98117fbf6de7edf7e2d12

SHA512
e6f3ff9cafb561f84bcda1d2620f3aee8d60f64ed56e24077a52c66240820eacef8eedd0570e61b37088c8e1c89fd496a74f332e3f53df5b92939cf62f589852

Download Submit
\Windows\SysWOW64\Ghmiam32.exe

Filesize
790KB

MD5
e71d0ed254fc61ee55cadb4a12e2987b

SHA1
516b5d3ba25f6b3a7d338130a2634c167a7c54f1

SHA256
66fc3a7d90c0d2cd6fc00d0cccdaafeef19e65a35e051d91e75d9847558a4be4

SHA512
1c5b39a64db54fc019d8c475cf013e4084c3fe661b61ffe27185322d968804daa4fed067678c1ec23d11b96f25ef1d65f6e529fded2a675a4e6c2b51c47e5473

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
790KB

MD5
727584de3f9309569d10e5bf64838658

SHA1
ea12b87699a8d399428e01c55df367869974f300

SHA256
83e273e8025862ede77179fc7e8bc71a1e74fcb8e47db132db02798148cc9e8d

SHA512
8b4e3c308b7604bf5ac94562920f9bc7d09caee4131cf27fde5b639d67a56686fb660158d01f04cbf29f17942131f5f4eb23d4fca9f160e555f38c7a734c266a

Download Submit
\Windows\SysWOW64\Gobgcg32.exe

Filesize
790KB

MD5
54950f1fb444687ff12f6b5380c42bfa

SHA1
83417339a66c75c2ae7365ade2692210234cbc61

SHA256
2c026aa1d33ef41a0a240094bdd4ebb4c18eda9d799c76266e569ee9b4ff4163

SHA512
af0a469e707d2c44ab950fbe0c0c069dd2bd94085b526710cad8431121d522d530bb92d4017087d51e1ca8f619e056f191bf39d6099b307219eb31540e8b6915

Download Submit
\Windows\SysWOW64\Hahjpbad.exe

Filesize
790KB

MD5
77c57dedb9cfcfdd0803e091156b27ab

SHA1
9f325a4714f7eaf436e9454df98be11bc167abd9

SHA256
69d61e2654c488c5c61cc409f4f2928981f1c88d0a2eea15eca8d400b47a8b5b

SHA512
391c00cfb3f66af28eb159559e55442656565fa88f7af58a03f8ae24eb06ac9f9bddd2069c6148a3c0565e80d5d69a8877592e8bbbeb59d86d1fe1cc6a73a605

Download Submit
\Windows\SysWOW64\Hiekid32.exe

Filesize
790KB

MD5
0349d68556948c388536548ca0a83ebe

SHA1
c253fb3cf3b96f764ad8f7b5ae009368a9d78708

SHA256
3ae7d485de895f91e2c63564908929e34e5d3f792ba992121d20b13a2850b72f

SHA512
068d2b5dc0c2ec748a210f6c88535d13b0020b7bf79dcd496b88ce906d20b33188ad3bd9cb87b7003ab9ce7557b45a386eeb62d0535b0346468ae0e889189817

Download Submit
memory/372-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-164-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/372-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-176-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1088-228-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1088-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-277-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1576-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-26-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1964-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-27-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2116-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2236-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-68-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2464-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-93-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2552-136-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2552-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-55-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2732-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-84-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2772-83-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2824-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-35-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2836-113-0x0000000001FC0000-0x0000000001FF3000-memory.dmp

Filesize
204KB

Download
memory/2836-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-112-0x0000000001FC0000-0x0000000001FF3000-memory.dmp

Filesize
204KB

Download
memory/3036-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-132-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads